加油,我目前就是卡在不知道如何获取sign加密的值
Opened this issue · 65 comments
市面上的ocr或者是简单的抓包版本都太拉跨了,还是要最终模拟人写。我分析完了,目前就卡在sign的值。逆向工程我不是很懂,这方面就等楼主了。知道了sign的值,就可以提前知道考试的答案和题目,也可以提交答案。但是获取答案的sign和提交答案的sign不一样,得逆向明白到底是如何加密的
对于sign,具体的加密算法位于com.fenbi.android.leo.webapp.secure.commands.RequestConfigCommand.Companion.c, 但是该方法无法完全导出dex,我无法反编译出源码。应该不会有具体的sign算法,我正在分析调用过程,准备通过hook的方式,向frida传入无sign的url链接,传出带sign的url链接,中间计算过程由小猿口算app生成。
对的 反编译也很少时候是能反出源码,没事楼主的想法也很好哈哈哈,看你了,等你成功了借用一下你的方式
对于sign,具体的加密算法位于
com.fenbi.android.leo.webapp.secure.commands.RequestConfigCommand.Companion.c, 但是该方法无法完全导出dex,我无法反编译出源码。应该不会有具体的sign算法,我正在分析调用过程,准备通过hook的方式,向frida传入无sign的url链接,传出带sign的url链接,中间计算过程由小猿口算app生成。
安卓端的sign最终是调的native方法算的,在libRequestEncoder.so里面
感谢提醒,我去看了下libRequestEncoder.so,我完全不会逆向so
我已经使用unidbg 补出了sign的生成
怎么生成的呢?能开源出来看看吗?
下面是 unidbg 代码,其中的chararray 需要根据他说的新建一个 改改就行 但是不一定能用,我测试了登录貌似还是失败,
package com.xiaoyuan;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.hook.hookzz.;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.memory.Memory;
import com.sun.jna.Pointer;
import net.dongliu.apk.parser.bean.CertificateMeta;
import java.io.File;
import java.io.IOException;
public class Xiaoyuan extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public DvmClass EClass;
public String apkPath = "E:\\unidbg\\apks\\xy\\xy.apk";
Xiaoyuan() {
emulator = AndroidEmulatorBuilder.for32Bit().build();
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(new File("E:\\unidbg\\apks\\xy\\libRequestEncoder.so"), true); // 加载so到虚拟内存
vm.setJni(this);
module = dm.getModule();
dm.callJNI_OnLoad(emulator);
EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");
}
public void call_zcvsd1wr2t() {
String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
EClass.callStaticJniMethodObject(
emulator, methodId,
new StringObject(vm, "/leo-gateway/android/auth/password"),
new StringObject(vm, "wdi4n2t8edr"),
-28673
);
}
public static void main(String[] args) {
Xiaoyuan getSign = new Xiaoyuan();
getSign.call_zcvsd1wr2t();
getSign.destroy();
}
private void destroy() {
try {
emulator.close();
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
return 27;
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
switch (signature) {
case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
return vm.resolveClass("android/app/Application").newObject(null);
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "android/app/Application->getBaseContext()Landroid/content/Context;":{
return vm.resolveClass("android/content/Context").newObject(null);
}
case "android/content/pm/Signature->toChars()[C":{
CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();
byte[] bytes = certificateMeta.getData();
char[] chars = new char[bytes.length];
for (int i = 0; i < bytes.length; i++) {
chars[i] = (char) bytes[i];
}
return new CharArray(vm,chars);
}
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
};
}
实在是太强了,比我厉害多了
我还得继续学习, 目前还没能力分析so
实在是太强了,比我厉害多了 我还得继续学习,目前还没能力分析so
我也只是照抄而已,不算的厉害
悲报,加密了(
喜报,大概率是前端解密因为so好像没动
悲报,加密了( 喜报,大概率是前端解密因为so好像没动
什么加密了,题目这些返回的数据吗
libRequestEncoder.so
com.fenbi.android.leo.utils.e
public static native String zcvsd1wr2t(String str, String str2, int i11);
}
``
这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来
解密出sign就可以直接发包拿分了,期待大佬发力
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来
发一下登录的网址 我看看 so算法我分析就差一段了 好像是aes
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来发一下登录的网址 我看看 so算法我分析就差一段了 好像是aes
https://m.yuanfudao.com/u/login/force?backUrl=https%3A%2F%2Fm.yuanfudao.com%2Fnative%2Fmy-coins
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来发一下登录的网址 我看看 so算法我分析就差一段了 好像是aes
关键函数
return t.setPublicKey("-----BEGIN PUBLIC KEY-----\n ".concat("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSovT1rrwzrGoMCFb6z8e+5lzVdAD5o8krGIwdfxrVE2OnMijUZdkQk7etPJvZ2JOVXghthAGUUJkDUE8n2ZMNFKPjMrQJI49ewVzqWOKOvgU6Iu60Sn0xpeietP1wWXBkszdV1WfNBJUo2hhPDnIPMGzzdfLW5rMu+tczeUriJQIDAQAB", "\n -----END PUBLIC KEY-----")),
t.encrypt(n)
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来
直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
so实现伪代码555行实在没能力看逻辑
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
这个能看到但具体逻辑没办法,还是没法自己生成sign和对数据加密实现整个流程
https://m.yuanfudao.com/u/login/force?backUrl=https%3A%2F%2Fm.yuanfudao.com%2Fnative%2Fmy-coins
密码这种加密无所谓 主要是so的sign 这个网页貌似没有sign参数
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
这个能看到但具体逻辑没办法,还是没法自己生成sign和对数据加密实现整个流程
/leo-gateway/android/auth/password
wdi4n2t8edr
bcd65d0baba159174a6b3331ac998605 urlPATH+ salt MD5
/leo-gateway/android/auth/password
654194b4dbd03e4dc79ccbce86dda67a 前几位相加 MD5
3074026880171896034922881047576209528810400183074026880576209548017464801746181677721628810478167772164801746557620954172881047335544322400873173201164288104791757620952619134175762095179603492288104942881047826191349603492189603492717728810479288104787174801746576209517288104941728810464320116418517320116528810478288104172881046432011652881047842881047822161902881047817335544322881047822161902400873181778326d1162fb5f38730d95b2fd7286c14
wdi4n2t8edr
这是我分析的 现在只有
3074026880171896034922881047576209528810400183074026880576209548017464801746181677721628810478167772164801746557620954172881047335544322400873173201164288104791757620952619134175762095179603492288104942881047826191349603492189603492717728810479288104787174801746576209517288104941728810464320116418517320116528810478288104172881046432011652881047842881047822161902881047817335544322881047822161902400873181778326d1162fb5f38730d95b2fd7286c14
分析不出来
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt
是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt
是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了
time那个参数你追到过吗
用的dump脚本
java_class: com.fenbi.android.leo.utils.e name: zcvsd1wr2t sig: (Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String; fnPtr: 0x703c321be4 fnOffset: 0x703c321be4 libRequestEncoder.so!0x61be4 callee: 0x703c322930 libRequestEncoder.so!0x62930
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt
是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了
time那个参数你追到过吗
你是说so层获取时间戳的地方吗
用的dump脚本
java_class: com.fenbi.android.leo.utils.e name: zcvsd1wr2t sig: (Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String; fnPtr: 0x703c321be4 fnOffset: 0x703c321be4 libRequestEncoder.so!0x61be4 callee: 0x703c322930 libRequestEncoder.so!0x62930
不同版本可能地址也不同
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt
是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了
time那个参数你追到过吗
你是说so层获取时间戳的地方吗
传的具体时间戳,没hook出来,想看看格式
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
sub_43b54是啥,我这勾的是sub_61BD4,能拿到那个salt
是so函数的偏移地址,拿到salt没用啊,他盐java层就已经给传入了
time那个参数你追到过吗
你是说so层获取时间戳的地方吗
传的具体时间戳,没hook出来,想看看格式
你说的是headers头部的时间戳吗,so的生成sign函数,貌似没有传入,而且在内部调用函数得到时间戳的
zcvsd1wr2t,对应的地址疑似是0x414E8;另一个sdwioxccsd,对应的地址疑似是0x40C6C
你这就是rpc调用嘛
你这就是rpc调用嘛
gan_sign_model.py负责控制执行gan_sign_model.js,
gan_sign_model.js负责hook调用libRequestEncoder.so的函数
SIGN的类是com.fenbi.android.leo.imgsearch.sdk.network.h吗
SIGN的类是
com.fenbi.android.leo.imgsearch.sdk.network.h吗
在com.fenbi.android.leo.utils.e
package com.fenbi.android.leo.utils;
/* loaded from: classes3.dex */
public class e {
static {
System.loadLibrary("RequestEncoder");
}
public static native String sdwioxccsd();
public static native String zcvsd1wr2t(String str, String str2, int i11);
}pcVar22 = (char *)operator_new__(0x20);
这行代码的pcVar22指向的应该就是rc4加密的密匙了,但计算太复杂了,g
fun_001eefc.txt
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
可以问一下text段的具体地址么,用IDA Pro 8逆向出来sub名不一样
libRequestEncoder.so com.fenbi.android.leo.utils.e public static native String zcvsd1wr2t(String str, String str2, int i11); } `` 这是我昨天分析出来的sign加密调用函数,今天早上看了下有个网页可以登录,调试了下 发现登录是用的aes加密 期待大佬能把算法逆出来直接hook这个拿到第一个参数是接口名第二个参数是wdi4n2t8edr,但第三个int读不出来
我用的objection追到的,第三方参数有1,-1,空 三个选项
hook这个so中的这个函数 sub_43B54 就能看到最后的加密结果了 是个标准MD5
可以问一下text段的具体地址么,用IDA Pro 8逆向出来sub名不一样
理论上找到核心函数和依赖函数的伪代码,再编一个x86的lib是不是就可以直接拿去给python和java用了)
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.memory.Memory;
import net.dongliu.apk.parser.bean.CertificateMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.IOException;
public class Main extends AbstractJni {
private static final Logger log = LoggerFactory.getLogger(Main.class);
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public DvmClass EClass;
public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk";
Main() {
emulator = AndroidEmulatorBuilder.for32Bit()
.setProcessName("com.fenbi.android.leo")
.addBackendFactory(new Unicorn2Factory(true))
.build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true);
vm.setJni(this);
module = dm.getModule();
dm.callJNI_OnLoad(emulator);
EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");
}
public static void main(String[] args) {
Main main = new Main();
main.call_zcvsd1wr2t();
main.destroy();
}
public void call_zcvsd1wr2t() {
String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
StringObject result = EClass.callStaticJniMethodObject(
emulator, methodId,
new StringObject(vm, "/leo-gateway/android/auth/password"),
// new StringObject(vm, ""),
new StringObject(vm, "wdi4n2t8edr"),
// new StringObject(vm, ""),
0
);
System.out.println("Result: " + result);
}
@Override
public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
return 25;
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
switch (signature) {
case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
return vm.resolveClass("android/app/Application").newObject(null);
}
System.out.println("callStaticObjectMethodV: " + signature);
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "android/app/Application->getBaseContext()Landroid/content/Context;": {
return vm.resolveClass("android/app/ContextImpl").newObject(null);
}
case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": {
return new StringObject(vm, "com.fenbi.android.leo");
}
case "android/content/pm/Signature->toChars()[C": {
CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();
byte[] bytes = certificateMeta.getData();
char[] chars = new char[bytes.length];
for (int i = 0; i < bytes.length; i++) {
chars[i] = (char) bytes[i];
}
return new CharArray(vm, chars);
}
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
;
private void destroy() {
try {
emulator.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47
JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59
RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9)
RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d)
Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9
JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515
JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f
JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f
JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579
JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d
JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7
JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603
JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71
JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd
JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11
JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1
JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653
JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b
callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager;
JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df
JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf
JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831
JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883
JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3
JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f
JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921
JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b
JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991
Result: null
Process finished with exit code 0
import com.github.unidbg.Module; import com.github.unidbg.arm.backend.Unicorn2Factory; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.CharArray; import com.github.unidbg.memory.Memory; import net.dongliu.apk.parser.bean.CertificateMeta; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; public class Main extends AbstractJni { private static final Logger log = LoggerFactory.getLogger(Main.class); private final AndroidEmulator emulator; private final VM vm; private final Module module; public DvmClass EClass; public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk"; Main() { emulator = AndroidEmulatorBuilder.for32Bit() .setProcessName("com.fenbi.android.leo") .addBackendFactory(new Unicorn2Factory(true)) .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分 final Memory memory = emulator.getMemory(); memory.setLibraryResolver(new AndroidResolver(23)); vm = emulator.createDalvikVM(new File(apkPath)); vm.setVerbose(true); DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true); vm.setJni(this); module = dm.getModule(); dm.callJNI_OnLoad(emulator); EClass = vm.resolveClass("com/fenbi/android/leo/utils/e"); } public static void main(String[] args) { Main main = new Main(); main.call_zcvsd1wr2t(); main.destroy(); } public void call_zcvsd1wr2t() { String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;"; StringObject result = EClass.callStaticJniMethodObject( emulator, methodId, new StringObject(vm, "/leo-gateway/android/auth/password"), // new StringObject(vm, ""), new StringObject(vm, "wdi4n2t8edr"), // new StringObject(vm, ""), 0 ); System.out.println("Result: " + result); } @Override public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) { return 25; } @Override public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { switch (signature) { case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;": return vm.resolveClass("android/app/Application").newObject(null); } System.out.println("callStaticObjectMethodV: " + signature); return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList); } @Override public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { switch (signature) { case "android/app/Application->getBaseContext()Landroid/content/Context;": { return vm.resolveClass("android/app/ContextImpl").newObject(null); } case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": { return new StringObject(vm, "com.fenbi.android.leo"); } case "android/content/pm/Signature->toChars()[C": { CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue(); byte[] bytes = certificateMeta.getData(); char[] chars = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { chars[i] = (char) bytes[i]; } return new CharArray(vm, chars); } } return super.callObjectMethodV(vm, dvmObject, signature, vaList); } ; private void destroy() { try { emulator.close(); } catch (IOException e) { e.printStackTrace(); } } }我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0
根据文章创建Chararray了吗
import com.github.unidbg.Module; import com.github.unidbg.arm.backend.Unicorn2Factory; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.CharArray; import com.github.unidbg.memory.Memory; import net.dongliu.apk.parser.bean.CertificateMeta; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; public class Main extends AbstractJni { private static final Logger log = LoggerFactory.getLogger(Main.class); private final AndroidEmulator emulator; private final VM vm; private final Module module; public DvmClass EClass; public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk"; Main() { emulator = AndroidEmulatorBuilder.for32Bit() .setProcessName("com.fenbi.android.leo") .addBackendFactory(new Unicorn2Factory(true)) .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分 final Memory memory = emulator.getMemory(); memory.setLibraryResolver(new AndroidResolver(23)); vm = emulator.createDalvikVM(new File(apkPath)); vm.setVerbose(true); DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true); vm.setJni(this); module = dm.getModule(); dm.callJNI_OnLoad(emulator); EClass = vm.resolveClass("com/fenbi/android/leo/utils/e"); } public static void main(String[] args) { Main main = new Main(); main.call_zcvsd1wr2t(); main.destroy(); } public void call_zcvsd1wr2t() { String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;"; StringObject result = EClass.callStaticJniMethodObject( emulator, methodId, new StringObject(vm, "/leo-gateway/android/auth/password"), // new StringObject(vm, ""), new StringObject(vm, "wdi4n2t8edr"), // new StringObject(vm, ""), 0 ); System.out.println("Result: " + result); } @Override public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) { return 25; } @Override public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { switch (signature) { case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;": return vm.resolveClass("android/app/Application").newObject(null); } System.out.println("callStaticObjectMethodV: " + signature); return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList); } @Override public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { switch (signature) { case "android/app/Application->getBaseContext()Landroid/content/Context;": { return vm.resolveClass("android/app/ContextImpl").newObject(null); } case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": { return new StringObject(vm, "com.fenbi.android.leo"); } case "android/content/pm/Signature->toChars()[C": { CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue(); byte[] bytes = certificateMeta.getData(); char[] chars = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { chars[i] = (char) bytes[i]; } return new CharArray(vm, chars); } } return super.callObjectMethodV(vm, dvmObject, signature, vaList); } ; private void destroy() { try { emulator.close(); } catch (IOException e) { e.printStackTrace(); } } }我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0根据文章创建Chararray了吗
创建了的
package com.github.unidbg.linux.android.dvm.array;
import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;
import org.apache.commons.codec.binary.Hex;
public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {
public CharArray(VM vm, char[] value) {
super(vm.resolveClass("[C"), value);
}
@Override
public int length() {
return value.length;
}
public void setValue(char[] value) {
super.value = value;
}
@Override
public void setData(int start, char[] data) {
System.arraycopy(data, 0, value, start, data.length);
}
@Override
public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
if (isCopy != null) {
isCopy.setInt(0, VM.JNI_TRUE);
}
try {
UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节
pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节
return pointer;
} catch (Exception e) {
e.printStackTrace();
return null; // 处理异常,返回 null
}
}
@Override
public void _ReleaseArrayCritical(Pointer elems, int mode) {
try {
switch (mode) {
case VM.JNI_COMMIT:
this.setValue(elems.getCharArray(0, this.value.length));
break;
case 0:
this.setValue(elems.getCharArray(0, this.value.length));
case VM.JNI_ABORT:
this.freeMemoryBlock(elems);
break;
}
} catch (Exception e) {
e.printStackTrace(); // 捕获异常并输出
}
}
@Override
public String toString() {
if (value != null && value.length <= 64) {
return new String(value); // 直接返回字符串表示
} else {
return super.toString();
}
}
}
import com.github.unidbg.Module; import com.github.unidbg.arm.backend.Unicorn2Factory; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.CharArray; import com.github.unidbg.memory.Memory; import net.dongliu.apk.parser.bean.CertificateMeta; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; public class Main extends AbstractJni { private static final Logger log = LoggerFactory.getLogger(Main.class); private final AndroidEmulator emulator; private final VM vm; private final Module module; public DvmClass EClass; public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk"; Main() { emulator = AndroidEmulatorBuilder.for32Bit() .setProcessName("com.fenbi.android.leo") .addBackendFactory(new Unicorn2Factory(true)) .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分 final Memory memory = emulator.getMemory(); memory.setLibraryResolver(new AndroidResolver(23)); vm = emulator.createDalvikVM(new File(apkPath)); vm.setVerbose(true); DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true); vm.setJni(this); module = dm.getModule(); dm.callJNI_OnLoad(emulator); EClass = vm.resolveClass("com/fenbi/android/leo/utils/e"); } public static void main(String[] args) { Main main = new Main(); main.call_zcvsd1wr2t(); main.destroy(); } public void call_zcvsd1wr2t() { String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;"; StringObject result = EClass.callStaticJniMethodObject( emulator, methodId, new StringObject(vm, "/leo-gateway/android/auth/password"), // new StringObject(vm, ""), new StringObject(vm, "wdi4n2t8edr"), // new StringObject(vm, ""), 0 ); System.out.println("Result: " + result); } @Override public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) { return 25; } @Override public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { switch (signature) { case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;": return vm.resolveClass("android/app/Application").newObject(null); } System.out.println("callStaticObjectMethodV: " + signature); return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList); } @Override public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { switch (signature) { case "android/app/Application->getBaseContext()Landroid/content/Context;": { return vm.resolveClass("android/app/ContextImpl").newObject(null); } case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": { return new StringObject(vm, "com.fenbi.android.leo"); } case "android/content/pm/Signature->toChars()[C": { CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue(); byte[] bytes = certificateMeta.getData(); char[] chars = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { chars[i] = (char) bytes[i]; } return new CharArray(vm, chars); } } return super.callObjectMethodV(vm, dvmObject, signature, vaList); } ; private void destroy() { try { emulator.close(); } catch (IOException e) { e.printStackTrace(); } } }我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0根据文章创建Chararray了吗
创建了的package com.github.unidbg.linux.android.dvm.array; import com.github.unidbg.Emulator; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.pointer.UnidbgPointer; import com.sun.jna.Pointer; import org.apache.commons.codec.binary.Hex; public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> { public CharArray(VM vm, char[] value) { super(vm.resolveClass("[C"), value); } @Override public int length() { return value.length; } public void setValue(char[] value) { super.value = value; } @Override public void setData(int start, char[] data) { System.arraycopy(data, 0, value, start, data.length); } @Override public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) { if (isCopy != null) { isCopy.setInt(0, VM.JNI_TRUE); } try { UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节 pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节 return pointer; } catch (Exception e) { e.printStackTrace(); return null; // 处理异常,返回 null } } @Override public void _ReleaseArrayCritical(Pointer elems, int mode) { try { switch (mode) { case VM.JNI_COMMIT: this.setValue(elems.getCharArray(0, this.value.length)); break; case 0: this.setValue(elems.getCharArray(0, this.value.length)); case VM.JNI_ABORT: this.freeMemoryBlock(elems); break; } } catch (Exception e) { e.printStackTrace(); // 捕获异常并输出 } } @Override public String toString() { if (value != null && value.length <= 64) { return new String(value); // 直接返回字符串表示 } else { return super.toString(); } } }
package com.github.unidbg.linux.android.dvm.array;
import com.github.unidbg.Emulator;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.pointer.UnidbgPointer;
import com.sun.jna.Pointer;
public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> {
public CharArray(VM vm, char[] value) {
super(vm.resolveClass("[C"), value);
}
@Override
public int length() {
return value.length;
}
public void setValue(char[] value) {
super.value = value;
}
@Override
public void setData(int start, char[] data) {
System.arraycopy(data, 0, value, start, data.length);
}
@Override
public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) {
if (isCopy != null) {
isCopy.setInt(0, VM.JNI_TRUE);
}
UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 4);
pointer.write(0, value, 0, value.length);
return pointer;
}
@Override
public void _ReleaseArrayCritical(Pointer elems, int mode) {
switch (mode) {
case VM.JNI_COMMIT:
this.setValue(elems.getCharArray(0, this.value.length));
break;
case 0:
this.setValue(elems.getCharArray(0, this.value.length));
case VM.JNI_ABORT:
this.freeMemoryBlock(elems);
break;
}
}
}import com.github.unidbg.Module; import com.github.unidbg.arm.backend.Unicorn2Factory; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.CharArray; import com.github.unidbg.memory.Memory; import net.dongliu.apk.parser.bean.CertificateMeta; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; public class Main extends AbstractJni { private static final Logger log = LoggerFactory.getLogger(Main.class); private final AndroidEmulator emulator; private final VM vm; private final Module module; public DvmClass EClass; public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk"; Main() { emulator = AndroidEmulatorBuilder.for32Bit() .setProcessName("com.fenbi.android.leo") .addBackendFactory(new Unicorn2Factory(true)) .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分 final Memory memory = emulator.getMemory(); memory.setLibraryResolver(new AndroidResolver(23)); vm = emulator.createDalvikVM(new File(apkPath)); vm.setVerbose(true); DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true); vm.setJni(this); module = dm.getModule(); dm.callJNI_OnLoad(emulator); EClass = vm.resolveClass("com/fenbi/android/leo/utils/e"); } public static void main(String[] args) { Main main = new Main(); main.call_zcvsd1wr2t(); main.destroy(); } public void call_zcvsd1wr2t() { String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;"; StringObject result = EClass.callStaticJniMethodObject( emulator, methodId, new StringObject(vm, "/leo-gateway/android/auth/password"), // new StringObject(vm, ""), new StringObject(vm, "wdi4n2t8edr"), // new StringObject(vm, ""), 0 ); System.out.println("Result: " + result); } @Override public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) { return 25; } @Override public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { switch (signature) { case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;": return vm.resolveClass("android/app/Application").newObject(null); } System.out.println("callStaticObjectMethodV: " + signature); return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList); } @Override public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { switch (signature) { case "android/app/Application->getBaseContext()Landroid/content/Context;": { return vm.resolveClass("android/app/ContextImpl").newObject(null); } case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": { return new StringObject(vm, "com.fenbi.android.leo"); } case "android/content/pm/Signature->toChars()[C": { CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue(); byte[] bytes = certificateMeta.getData(); char[] chars = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { chars[i] = (char) bytes[i]; } return new CharArray(vm, chars); } } return super.callObjectMethodV(vm, dvmObject, signature, vaList); } ; private void destroy() { try { emulator.close(); } catch (IOException e) { e.printStackTrace(); } } }我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0根据文章创建Chararray了吗
创建了的package com.github.unidbg.linux.android.dvm.array; import com.github.unidbg.Emulator; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.pointer.UnidbgPointer; import com.sun.jna.Pointer; import org.apache.commons.codec.binary.Hex; public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> { public CharArray(VM vm, char[] value) { super(vm.resolveClass("[C"), value); } @Override public int length() { return value.length; } public void setValue(char[] value) { super.value = value; } @Override public void setData(int start, char[] data) { System.arraycopy(data, 0, value, start, data.length); } @Override public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) { if (isCopy != null) { isCopy.setInt(0, VM.JNI_TRUE); } try { UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节 pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节 return pointer; } catch (Exception e) { e.printStackTrace(); return null; // 处理异常,返回 null } } @Override public void _ReleaseArrayCritical(Pointer elems, int mode) { try { switch (mode) { case VM.JNI_COMMIT: this.setValue(elems.getCharArray(0, this.value.length)); break; case 0: this.setValue(elems.getCharArray(0, this.value.length)); case VM.JNI_ABORT: this.freeMemoryBlock(elems); break; } } catch (Exception e) { e.printStackTrace(); // 捕获异常并输出 } } @Override public String toString() { if (value != null && value.length <= 64) { return new String(value); // 直接返回字符串表示 } else { return super.toString(); } } }package com.github.unidbg.linux.android.dvm.array; import com.github.unidbg.Emulator; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.pointer.UnidbgPointer; import com.sun.jna.Pointer; public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> { public CharArray(VM vm, char[] value) { super(vm.resolveClass("[C"), value); } @Override public int length() { return value.length; } public void setValue(char[] value) { super.value = value; } @Override public void setData(int start, char[] data) { System.arraycopy(data, 0, value, start, data.length); } @Override public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) { if (isCopy != null) { isCopy.setInt(0, VM.JNI_TRUE); } UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 4); pointer.write(0, value, 0, value.length); return pointer; } @Override public void _ReleaseArrayCritical(Pointer elems, int mode) { switch (mode) { case VM.JNI_COMMIT: this.setValue(elems.getCharArray(0, this.value.length)); break; case 0: this.setValue(elems.getCharArray(0, this.value.length)); case VM.JNI_ABORT: this.freeMemoryBlock(elems); break; } } }
不好意思,我复制您的代码依然不起作用
import com.github.unidbg.Module; import com.github.unidbg.arm.backend.Unicorn2Factory; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.CharArray; import com.github.unidbg.memory.Memory; import net.dongliu.apk.parser.bean.CertificateMeta; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; public class Main extends AbstractJni { private static final Logger log = LoggerFactory.getLogger(Main.class); private final AndroidEmulator emulator; private final VM vm; private final Module module; public DvmClass EClass; public String apkPath = "F:\\unidbg-master\\apks\\小猿口算.apk"; Main() { emulator = AndroidEmulatorBuilder.for32Bit() .setProcessName("com.fenbi.android.leo") .addBackendFactory(new Unicorn2Factory(true)) .build(); // 创建模拟器实例,要模拟32位或者64位,在这里区分 final Memory memory = emulator.getMemory(); memory.setLibraryResolver(new AndroidResolver(23)); vm = emulator.createDalvikVM(new File(apkPath)); vm.setVerbose(true); DalvikModule dm = vm.loadLibrary(new File("F:\\unidbg-master\\apks\\libRequestEncoder.so"), true); vm.setJni(this); module = dm.getModule(); dm.callJNI_OnLoad(emulator); EClass = vm.resolveClass("com/fenbi/android/leo/utils/e"); } public static void main(String[] args) { Main main = new Main(); main.call_zcvsd1wr2t(); main.destroy(); } public void call_zcvsd1wr2t() { String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;"; StringObject result = EClass.callStaticJniMethodObject( emulator, methodId, new StringObject(vm, "/leo-gateway/android/auth/password"), // new StringObject(vm, ""), new StringObject(vm, "wdi4n2t8edr"), // new StringObject(vm, ""), 0 ); System.out.println("Result: " + result); } @Override public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) { return 25; } @Override public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) { switch (signature) { case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;": return vm.resolveClass("android/app/Application").newObject(null); } System.out.println("callStaticObjectMethodV: " + signature); return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList); } @Override public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) { switch (signature) { case "android/app/Application->getBaseContext()Landroid/content/Context;": { return vm.resolveClass("android/app/ContextImpl").newObject(null); } case "android/app/ContextImpl->getPackageName()Ljava/lang/String;": { return new StringObject(vm, "com.fenbi.android.leo"); } case "android/content/pm/Signature->toChars()[C": { CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue(); byte[] bytes = certificateMeta.getData(); char[] chars = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { chars[i] = (char) bytes[i]; } return new CharArray(vm, chars); } } return super.callObjectMethodV(vm, dvmObject, signature, vaList); } ; private void destroy() { try { emulator.close(); } catch (IOException e) { e.printStackTrace(); } } }我补的哪个地方有问题,返回结果为null
D:\Java\jdk-22\bin\java.exe "-javaagent:D:\JetBrains\IntelliJ IDEA 2024.1.2\lib\idea_rt.jar=23287:D:\JetBrains\IntelliJ IDEA 2024.1.2\bin" -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath F:\unidbg-master\unidbg-android\target\classes;F:\unidbg-master\unidbg-api\target\classes;C:\Users\Administrator.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\Administrator.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\Administrator.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\Administrator.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\Administrator.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\Administrator.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\Administrator.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\Administrator.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\Administrator.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;C:\Users\Administrator.m2\repository\net\dongliu\apk-parser\2.6.10\apk-parser-2.6.10.jar;F:\unidbg-master\backend\unicorn2\target\classes;C:\Users\Administrator.m2\repository\org\slf4j\slf4j-api\2.0.5\slf4j-api-2.0.5.jar Main SLF4J: No SLF4J providers were found. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details. JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6d4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x19) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@631330c) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b callObjectMethodV: android/app/Application->getPackageManager()Landroid/content/pm/PackageManager; JNIEnv->CallObjectMethodV(android.app.Application@631330c, getPackageManager() => android.content.pm.PackageManager@42f93a98) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@631330c, getBaseContext() => android.app.ContextImpl@c46bcd4) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/app/ContextImpl.getPackageName()Ljava/lang/String;) => 0xd4c1afb8 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.app.ContextImpl@c46bcd4, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d callObjectMethodV: android/content/pm/PackageManager->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo; JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@42f93a98, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@fad74ee) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@fad74ee, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@2d9d4f9d]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@2d9d4f9d], 0) => android.content.pm.Signature@2d9d4f9d was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@2d9d4f9d, toChars() => [C@53ca01a2) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@53ca01a2 => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 Result: null
Process finished with exit code 0根据文章创建Chararray了吗
创建了的package com.github.unidbg.linux.android.dvm.array; import com.github.unidbg.Emulator; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.pointer.UnidbgPointer; import com.sun.jna.Pointer; import org.apache.commons.codec.binary.Hex; public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> { public CharArray(VM vm, char[] value) { super(vm.resolveClass("[C"), value); } @Override public int length() { return value.length; } public void setValue(char[] value) { super.value = value; } @Override public void setData(int start, char[] data) { System.arraycopy(data, 0, value, start, data.length); } @Override public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) { if (isCopy != null) { isCopy.setInt(0, VM.JNI_TRUE); } try { UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 2); // 字符占用 2 字节 pointer.write(0, value, 0, value.length * 2); // 每个字符写入 2 字节 return pointer; } catch (Exception e) { e.printStackTrace(); return null; // 处理异常,返回 null } } @Override public void _ReleaseArrayCritical(Pointer elems, int mode) { try { switch (mode) { case VM.JNI_COMMIT: this.setValue(elems.getCharArray(0, this.value.length)); break; case 0: this.setValue(elems.getCharArray(0, this.value.length)); case VM.JNI_ABORT: this.freeMemoryBlock(elems); break; } } catch (Exception e) { e.printStackTrace(); // 捕获异常并输出 } } @Override public String toString() { if (value != null && value.length <= 64) { return new String(value); // 直接返回字符串表示 } else { return super.toString(); } } }package com.github.unidbg.linux.android.dvm.array; import com.github.unidbg.Emulator; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.pointer.UnidbgPointer; import com.sun.jna.Pointer; public class CharArray extends BaseArray<char[]> implements PrimitiveArray<char[]> { public CharArray(VM vm, char[] value) { super(vm.resolveClass("[C"), value); } @Override public int length() { return value.length; } public void setValue(char[] value) { super.value = value; } @Override public void setData(int start, char[] data) { System.arraycopy(data, 0, value, start, data.length); } @Override public UnidbgPointer _GetArrayCritical(Emulator<?> emulator, Pointer isCopy) { if (isCopy != null) { isCopy.setInt(0, VM.JNI_TRUE); } UnidbgPointer pointer = this.allocateMemoryBlock(emulator, value.length * 4); pointer.write(0, value, 0, value.length); return pointer; } @Override public void _ReleaseArrayCritical(Pointer elems, int mode) { switch (mode) { case VM.JNI_COMMIT: this.setValue(elems.getCharArray(0, this.value.length)); break; case 0: this.setValue(elems.getCharArray(0, this.value.length)); case VM.JNI_ABORT: this.freeMemoryBlock(elems); break; } } }不好意思,我复制您的代码依然不起作用
你可以尝试检验下你的 java层的代码 可能是哪里误写错了
您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null
您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null
3.84.1
您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null
3.84.1
我用的是最新版本的3.93.4,可能是版本更新的原因
您使用的是什么版本的小猿口算呢,我复制您写的代码也是一样为null
3.84.1
我用的是最新版本的3.93.4,可能是版本更新的原因
可以吧so上传网盘发我,我来补一下
好的,麻烦大佬了 https://pan.baidu.com/s/1Jcq_Z0aspdXBJ5At__yVoQ?pwd=xmru
用这个 https://4275.com/ 百度太恶心人了
好的,麻烦大佬了 https://pan.baidu.com/s/1Jcq_Z0aspdXBJ5At__yVoQ?pwd=xmru
用这个 https://4275.com/ 百度太恶心人了
好的
apk: http://4275.com/qwxa5i
so: http://4275.com/4udir2
好的,麻烦大佬了 https://pan.baidu.com/s/1Jcq_Z0aspdXBJ5At__yVoQ?pwd=xmru
应该是你代码写错了
我这里还是能跑
package com.xiaoyuan;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.debugger.Debugger;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ArrayObject;
import com.github.unidbg.linux.android.dvm.array.CharArray;
import com.github.unidbg.linux.android.dvm.wrapper.DvmInteger;
import com.github.unidbg.memory.Memory;
import com.sun.jna.Pointer;
import net.dongliu.apk.parser.bean.CertificateMeta;
import java.io.File;
import java.io.IOException;
public class Xiaoyuan extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public DvmClass EClass;
public String apkPath = "/Users/jiangxia/unidbg/apks/xyks.apk";
Xiaoyuan() {
emulator = AndroidEmulatorBuilder.for32Bit().build();
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(new File("/Users/jiangxia/unidbg/apks/libRequestEncoder1.so"), true); // 加载so到虚拟内存
vm.setJni(this);
module = dm.getModule();
dm.callJNI_OnLoad(emulator);
EClass = vm.resolveClass("com/fenbi/android/leo/utils/e");
Debugger debugger = emulator.attach();
// debugger.addBreakPoint(module.base + 0x43434+ 1);
}
public void call_zcvsd1wr2t() {
String methodId = "zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;";
EClass.callStaticJniMethodObject(
emulator, methodId,
new StringObject(vm, "/leo-gateway/android/auth/password"),
new StringObject(vm, "wdi4n2t8edr"),
-28673
);
}
public static void main(String[] args) {
Xiaoyuan getSign = new Xiaoyuan();
getSign.call_zcvsd1wr2t();
getSign.destroy();
}
private void destroy() {
try {
emulator.close();
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public int getStaticIntField(BaseVM vm, DvmClass dvmClass, String signature) {
return 27;
}
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
switch (signature) {
case "com/fenbi/android/leo/activity/HomeActivity->b()Landroid/app/Application;":
return vm.resolveClass("android/app/Application").newObject(null);
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
switch (signature) {
case "android/app/Application->getBaseContext()Landroid/content/Context;":{
return vm.resolveClass("android/content/Context").newObject(null);
}
case "android/content/pm/Signature->toChars()[C":{
CertificateMeta certificateMeta = (CertificateMeta) dvmObject.getValue();
byte[] bytes = certificateMeta.getData();
char[] chars = new char[bytes.length];
for (int i = 0; i < bytes.length; i++) {
chars[i] = (char) bytes[i];
}
return new CharArray(vm,chars);
}
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
};
}我找到原因了,多谢大佬
因为我的java文件放在了unidbg-android/main/java中
我把它移动到unidbg-android/main/test/java/com/xiaoyuan中跟您保持一致就会提示新的报错
[13:09:22 622] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:537) - handleInterrupt intno=2, NR=-1073744096, svcNumber=0x1b3, PC=unidbg@0xfffe0bc4, LR=RX@0x400419a3[libRequestEncoder.so]0x419a3, syscall=null
java.lang.AbstractMethodError
at com.github.unidbg.pointer.UnidbgPointer.write(UnidbgPointer.java:198)
at com.github.unidbg.linux.android.dvm.array.CharArray._GetArrayCritical(CharArray.java:34)
at com.github.unidbg.linux.android.dvm.DalvikVM$180.handle(DalvikVM.java:2855)
at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:133)
at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345)
at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128)
at unicorn.Unicorn.emu_start(Native Method)
at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376)
at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378)
at com.github.unidbg.thread.Function32.run(Function32.java:39)
at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19)
at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175)
at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99)
at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341)
at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:255)
at com.github.unidbg.Module.emulateFunction(Module.java:163)
at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:135)
at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:316)
at com.xiaoyuan.Xiaoyuan.call_zcvsd1wr2t(Xiaoyuan.java:41)
at com.xiaoyuan.Xiaoyuan.main(Xiaoyuan.java:56)
然后根据报错将write改为
@Override
public void write(long offset, char[] buf, int index, int length) {
for (int i = index; i < length; i++) {
setChar((i - index) * 4L + offset, buf[i]);
}
// throw new AbstractMethodError();
}
就可以得出运行结果了
JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47
JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6e4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59
RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9)
RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d)
Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9
JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515
JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f
JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f
JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579
JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d
JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7
JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x1b) was called from RX@0x40041603[libRequestEncoder.so]0x41603
JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71
JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd
JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11
JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@18a70f16) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1
JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653
JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b
JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getPackageManager() => android.content.pm.PackageManager@62e136d3) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df
JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getBaseContext() => android.content.Context@c8e4bb0) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf
JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831
JNIEnv->GetMethodID(android/content/Context.getPackageName()Ljava/lang/String;) => 0xf6590850 was called from RX@0x40041883[libRequestEncoder.so]0x41883
JNIEnv->CallObjectMethodV(android.content.Context@c8e4bb0, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@62e136d3, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@14d3bc22) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3
JNIEnv->GetObjectField(android.content.pm.PackageInfo@14d3bc22, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@31c88ec8]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f
JNIEnv->GetObjectArrayElement([android.content.pm.Signature@31c88ec8], 0) => android.content.pm.Signature@31c88ec8 was called from RX@0x40041921[libRequestEncoder.so]0x41921
JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b
JNIEnv->CallObjectMethodV(android.content.pm.Signature@31c88ec8, toChars() => [C@3d51f06e) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d
JNIEnv->GetArrayLength([C@3d51f06e => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991
JNIEnv->NewStringUTF("4a1e61de7310f4f36427dc675243d2a2") was called from RX@0x40041a83[libRequestEncoder.so]0x41a83
"4a1e61de7310f4f36427dc675243d2a2"
Process finished with exit code 0
我找到原因了,多谢大佬 因为我的java文件放在了unidbg-android/main/java中 我把它移动到unidbg-android/main/test/java/com/xiaoyuan中跟您保持一致就会提示新的报错
[13:09:22 622] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:537) - handleInterrupt intno=2, NR=-1073744096, svcNumber=0x1b3, PC=unidbg@0xfffe0bc4, LR=RX@0x400419a3[libRequestEncoder.so]0x419a3, syscall=null java.lang.AbstractMethodError at com.github.unidbg.pointer.UnidbgPointer.write(UnidbgPointer.java:198) at com.github.unidbg.linux.android.dvm.array.CharArray._GetArrayCritical(CharArray.java:34) at com.github.unidbg.linux.android.dvm.DalvikVM$180.handle(DalvikVM.java:2855) at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:133) at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:378) at com.github.unidbg.thread.Function32.run(Function32.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:175) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:99) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:341) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:255) at com.github.unidbg.Module.emulateFunction(Module.java:163) at com.github.unidbg.linux.android.dvm.DvmObject.callJniMethod(DvmObject.java:135) at com.github.unidbg.linux.android.dvm.DvmClass.callStaticJniMethodObject(DvmClass.java:316) at com.xiaoyuan.Xiaoyuan.call_zcvsd1wr2t(Xiaoyuan.java:41) at com.xiaoyuan.Xiaoyuan.main(Xiaoyuan.java:56)然后根据报错将write改为
@Override public void write(long offset, char[] buf, int index, int length) { for (int i = index; i < length; i++) { setChar((i - index) * 4L + offset, buf[i]); } // throw new AbstractMethodError(); }就可以得出运行结果了
JNIEnv->FindClass(com/fenbi/android/leo/utils/e) was called from RX@0x40041b47[libRequestEncoder.so]0x41b47 JNIEnv->RegisterNatives(com/fenbi/android/leo/utils/e, unidbg@0xbffff6e4, 2) was called from RX@0x40041b59[libRequestEncoder.so]0x41b59 RegisterNative(com/fenbi/android/leo/utils/e, zcvsd1wr2t(Ljava/lang/String;Ljava/lang/String;I)Ljava/lang/String;, RX@0x400414e9[libRequestEncoder.so]0x414e9) RegisterNative(com/fenbi/android/leo/utils/e, sdwioxccsd()Ljava/lang/String;, RX@0x40040c6d[libRequestEncoder.so]0x40c6d) Find native function Java_com_fenbi_android_leo_utils_e_zcvsd1wr2t => RX@0x400414e9[libRequestEncoder.so]0x414e9 JNIEnv->GetStringUtfChars("wdi4n2t8edr") was called from RX@0x40041515[libRequestEncoder.so]0x41515 JNIEnv->ReleaseStringUTFChars("wdi4n2t8edr") was called from RX@0x4004153f[libRequestEncoder.so]0x4153f JNIEnv->GetStringUtfChars("/leo-gateway/android/auth/password") was called from RX@0x4004154f[libRequestEncoder.so]0x4154f JNIEnv->ReleaseStringUTFChars("/leo-gateway/android/auth/password") was called from RX@0x40041579[libRequestEncoder.so]0x41579 JNIEnv->FindClass(android/os/Build$VERSION) was called from RX@0x4004159d[libRequestEncoder.so]0x4159d JNIEnv->GetStaticFieldID(android/os/Build$VERSION.SDK_INTI) => 0x1e4ff4f1 was called from RX@0x400415e7[libRequestEncoder.so]0x415e7 JNIEnv->GetStaticIntField(class android/os/Build$VERSION, SDK_INT => 0x1b) was called from RX@0x40041603[libRequestEncoder.so]0x41603 JNIEnv->FindClass(android/app/Application) was called from RX@0x40041e71[libRequestEncoder.so]0x41e71 JNIEnv->FindClass(com/fenbi/android/leo/activity/HomeActivity) was called from RX@0x40041ecd[libRequestEncoder.so]0x41ecd JNIEnv->GetStaticMethodID(com/fenbi/android/leo/activity/HomeActivity.b()Landroid/app/Application;) => 0xeaf0f761 was called from RX@0x40041f11[libRequestEncoder.so]0x41f11 JNIEnv->CallStaticObjectMethodV(class com/fenbi/android/leo/activity/HomeActivity, b() => android.app.Application@18a70f16) was called from RX@0x40041fb1[libRequestEncoder.so]0x41fb1 JNIEnv->GetMethodID(android/app/Application.getPackageManager()Landroid/content/pm/PackageManager;) => 0x630dae39 was called from RX@0x40041653[libRequestEncoder.so]0x41653 JNIEnv->GetMethodID(android/app/Application.getBaseContext()Landroid/content/Context;) => 0xce15ef92 was called from RX@0x4004169b[libRequestEncoder.so]0x4169b JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getPackageManager() => android.content.pm.PackageManager@62e136d3) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ApplicationPackageManager) was called from RX@0x400416df[libRequestEncoder.so]0x416df JNIEnv->CallObjectMethodV(android.app.Application@18a70f16, getBaseContext() => android.content.Context@c8e4bb0) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->FindClass(android/app/ContextImpl) was called from RX@0x400417cf[libRequestEncoder.so]0x417cf JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x40041831[libRequestEncoder.so]0x41831 JNIEnv->GetMethodID(android/content/Context.getPackageName()Ljava/lang/String;) => 0xf6590850 was called from RX@0x40041883[libRequestEncoder.so]0x41883 JNIEnv->CallObjectMethodV(android.content.Context@c8e4bb0, getPackageName() => "com.fenbi.android.leo") was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@62e136d3, getPackageInfo("com.fenbi.android.leo", 0x40) => android.content.pm.PackageInfo@14d3bc22) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400418f3[libRequestEncoder.so]0x418f3 JNIEnv->GetObjectField(android.content.pm.PackageInfo@14d3bc22, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@31c88ec8]) was called from RX@0x4004190f[libRequestEncoder.so]0x4190f JNIEnv->GetObjectArrayElement([android.content.pm.Signature@31c88ec8], 0) => android.content.pm.Signature@31c88ec8 was called from RX@0x40041921[libRequestEncoder.so]0x41921 JNIEnv->GetMethodID(android/content/pm/Signature.toChars()[C) => 0xa108b7de was called from RX@0x4004196b[libRequestEncoder.so]0x4196b JNIEnv->CallObjectMethodV(android.content.pm.Signature@31c88ec8, toChars() => [C@3d51f06e) was called from RX@0x40041f6d[libRequestEncoder.so]0x41f6d JNIEnv->GetArrayLength([C@3d51f06e => 830) was called from RX@0x40041991[libRequestEncoder.so]0x41991 JNIEnv->NewStringUTF("4a1e61de7310f4f36427dc675243d2a2") was called from RX@0x40041a83[libRequestEncoder.so]0x41a83 "4a1e61de7310f4f36427dc675243d2a2" Process finished with exit code 0
只能用于辅助分析算法,如果有技术,您可以尝试搭建服务测试能不能使用,我直接替换sign好想不太行同
我发现第一个传参为空时,加密后的字符串跟hook结果一致,不为空反而不一致
我发现第一个传参为空时,加密后的字符串跟hook结果一致,不为空反而不一致
能给出截图或者一些关键代码吗 第一个参数应该是urlpath吧
可以多尝试几次 ,每次都是一样的使用可能的,他每次都会变是因为有个时间戳的因素 导致每次生成的结果不是固定的
你们apk在哪下的?怎么我看库是32位的,我自己下载的是64位的?
你们apk在哪下的?怎么我看库是32位的,我自己下载的是64位的?
你们apk在哪下的?怎么我看库是32位的,我自己下载的是64位的?
官方apk只有64位的.
pcVar22 = (char *)operator_new__(0x20);这行代码的pcVar22指向的应该就是rc4加密的密匙了,但计算太复杂了,g fun_001eefc.txt
def generate_custom_key():
T = np.zeros(256, dtype=np.uint8)
lookup_table1 = [((i * 7 + 13) % 256) for i in range(256)]
lookup_table2 = [((i * 11 + 29) % 256) for i in range(256)]
for i in range(256):
value = i
bit_count = bin(value).count('1')
temp = ((value << 3) + (value >> 2)) & 0xFF
temp ^= lookup_table1[i]
temp = (temp + bit_count * 17) & 0xFF
temp ^= lookup_table2[(temp + i) % 256]
T[i] = temp
return T.tolist()
用 python 写的,伪代码读着真累
不确定是否正确,欢迎有志之士测试
https://github.com/LanBaiCode/xiaoyuan_unidbg 这个issues可以关了,看雪大神出手了 https://bbs.kanxue.com/thread-283960.htm